WO2014197128A1 - Methods and systems for single sign-on while protecting user privacy - Google Patents

Methods and systems for single sign-on while protecting user privacy Download PDF

Info

Publication number
WO2014197128A1
WO2014197128A1 PCT/US2014/035030 US2014035030W WO2014197128A1 WO 2014197128 A1 WO2014197128 A1 WO 2014197128A1 US 2014035030 W US2014035030 W US 2014035030W WO 2014197128 A1 WO2014197128 A1 WO 2014197128A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
application
server
user identifier
identifier
Prior art date
Application number
PCT/US2014/035030
Other languages
French (fr)
Inventor
Derrick S. HUHN
Jeremy M. WERNER
Amol V. PATTEKAR
Original Assignee
Apple Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Apple Inc. filed Critical Apple Inc.
Publication of WO2014197128A1 publication Critical patent/WO2014197128A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Abstract

A method of enabling applications to reference user information is provided, including receiving a request for a user identifier that references a user of the application and sending a second request for the user identifier to a server. The second request may include a second user identifier that references the user and a second authentication token for the second user identifier. Furthermore, the second user identifier and the second authentication token are not accessible by the user. The method includes receiving the user identifier and an authentication token for the first user identifier. The user identifier corresponds to the second identifier; and providing the user identifier and authentication token to the application. A method of enabling an application to identify users associated with a user of the application is provided; the method may include receiving, from the server, user identifiers that reference one or more users scoped to the application.

Description

METHODS AND SYSTEMS FOR SINGLE SIGN-ON WHILE PROTECTING USER PRIVACY
FIELD OF THE DESCRIBED EMBODIMENTS
[0001] The described embodiments relate generally to methods, devices, and systems for developing applications in datacenters. More particularly, embodiments disclosed herein relate to methods and systems for single sign-on while protecting user privacy and address book discovery for users of network-based software applications.
BACKGROUND
[0002] The proliferation of client computing devices— such as smart phones and tablets— has drastically changed the manner in which software applications are designed and executed. Software applications rely on accessing server computing devices such as a development server that are designed to interact with the software applications. When a software application contacts the server, a user authentication takes place in order for the server to release and provide data and services. In many instances, the application provider or developer handles the user personal information in the sign-on process with the development server. While this configuration simplifies operation of the software application, it exposes the privacy of the users to a third party (at least the developer). As developers take advantage of the information they may handle, users become bombarded with unwanted advertisements, solicitation, and e-mail spam. Eventually, the software application becomes unpopular and loses user subscriptions.
[0003] Therefore, what is desired is a sign-on configuration for a network-based software application that protects user privacy from third parties.
SUMMARY OF THE DESCRIBED EMBODIMENTS
[0004] In a first embodiment, a method for enabling applications to reference user information is provided. The method may include receiving, from an application, a first request for a first user identifier that references a user of the application and sending a second request for the first user identifier to a server. Accordingly, the second request includes a second user identifier that references the user and a second authentication token for the second user identifier, where the second user identifier and the second authentication token are not accessible by the user. The method may also include receiving, from the server, the first user identifier and a first authentication token for the first user identifier, where, in some embodiments, the first user identifier corresponds to the second identifier. Finally, the method includes providing the first user identifier and the first authentication token to the application.
[0005] In a second embodiment, a method for enabling an application to identify one or more users associated with a first user of the application is provided. The method includes receiving, from an application, contact information that can be used to identify one or more users. The method further includes receiving, from the application, a request for one or more user identifiers that reference the one or more users, and sending, to a server, the contact information and the request for one or more user identifiers that reference the one or more users. In some embodiments, the method includes receiving, from the server, the one or more user identifiers that reference one or more users. Furthermore, the method may include receiving, from the server, a correlation between the one or more user identifiers and the one or more users, and, further, providing the one or more user identifiers and the correlation between the one or more user identifiers and the one or more users to the application.
[0006] In a third embodiment, a method for enabling an application to identify one or more users associated with a first user of the application is provided. The method includes receiving, from an application, a request for one or more user identifiers that reference one or more users in a contact list of the first user, wherein the contact list is not accessible to the application. Also, the method may include sending, to a server, the request for one or more user identifiers that reference one or more users in the contact list, receiving, from the server, the one or more user identifiers that reference one or more users, and, finally, providing the one or more user identifiers to the application.
[0007] Other aspects and advantages of the invention will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] The described embodiments may be better understood by reference to the following description and the accompanying drawings. Additionally, advantages of the described embodiments may be better understood by reference to the following description and accompanying drawings. These drawings do not limit any changes in form and detail that may be made to the described embodiments. Any such changes do not depart from the spirit and scope of the described embodiments.
[0009] FIG. 1 illustrates a block diagram of a development server and a client device in a single sign-on configuration, according to some embodiments.
[0010] FIG. 2 illustrates a block diagram of a client device adapted for a single sign-on configuration, according to some embodiments.
[0011] FIG. 3 illustrates a block diagram of a container in a development server adapted for a single sign-on configuration, according to some embodiments.
[0012] FIG. 4 illustrates a block diagram of a client and a container in an address book discovery configuration, according to some embodiments.
[0013] FIG. 5 illustrates a flow chart including steps in a method for a single sign- on configuration, according to some embodiments.
[0014] FIG. 6 illustrates a flow chart including steps in a method for a single sign- on configuration including multiple user identifiers, according to some embodiments.
[0015] FIG. 7 illustrates a flow chart including steps in a method for discovering address books in network-based software applications, according to some embodiments.
[0016] FIG. 8 illustrates a flow chart including steps in a method for discovering address books in network-based software applications, including receiving information selected from an address book, according to some embodiments.
[0017] FIG. 9 illustrates a flow chart including steps in a method for discovering address books in network-based software applications, according to some embodiments.
[0018] FIG. 10 illustrates a flow chart including steps in a method for discovering address books in network-based software applications as above, including discovering users with given addresses, according to some embodiments.
[0019] FIG. 11 illustrates a flow chart including steps in a method for creating e- mail user lists, according to some embodiments.
[0020] In the figures, elements referred to with the same or similar reference numerals include the same or similar structure, use, or procedure, as described in the first instance of occurrence of the reference numeral.
DETAILED DESCRIPTION OF SELECTED EMBODIMENTS
[0021] Representative applications of methods and apparatus according to the present application are described in this section. These examples are being provided solely to add context and aid in the understanding of the described embodiments. It will thus be apparent to one skilled in the art that the described embodiments may be practiced without some or all of these specific details. In other instances, well known process steps have not been described in detail in order to avoid unnecessarily obscuring the described embodiments. Other applications are possible, such that the following examples should not be taken as limiting.
[0022] In the following detailed description, references are made to the accompanying drawings, which form a part of the description and in which are shown, by way of illustration, specific embodiments in accordance with the described embodiments. Although these embodiments are described in sufficient detail to enable one skilled in the art to practice the described embodiments, it is understood that these examples are not limiting; such that other embodiments may be used, and changes may be made without departing from the spirit and scope of the described embodiments.
[0023] Use of network-based software applications has rapidly increased due to the availability of a large variety of portable or handheld electronic devices capable of coupling to a network. A client device, such as a smart phone, a tablet computer, or a laptop computer may run the software application by using remote resources accessible through a network server. The network server may be a development server providing storage and data processing capabilities to the software application (hereinafter referred to as 'application'). To run the application, the client device presents a unique authentication token to sign-on with the development server. With the authentication token, the development server may determine the attributes and privileges of the user handling the client device as regards to the software application. Thus, in embodiments disclosed herein, the user personal information is kept private from a third party.
[0024] In embodiments consistent with the present disclosure, the application logs-in the user without asking the user for private information or any other registration protocol. The authentication process is transparent to the user handling the client device, thus creating a pleasant experience. Any authenticated information or private information from the user is hidden from the application itself. The application sees a stable user ID consistent with data lists stored in the development server. Thus, according to embodiments disclosed herein, a single sign-on configuration protecting the user privacy is able to create stable user IDs for use across multiple applications. No private information from the user is shared with the application or the application developers. This is all the more relevant for users executing multiple applications, some of which may link the client device to a third party network server. The user handling the client device may desire to keep personal information private, and not share it with the third party network servers.
[0025] FIG. 1 illustrates a block diagram of a development server 100 and a client device 150 in a single sign-on configuration 10, according to some embodiments. In single sign-on configuration 10, a client device 150 interacts with a development server 100 through a network link 181. Each of the client device 150, the development server 100, and the user electronic device 150 may include a memory circuit and a processor circuit. The memory circuits store commands and data that, when executed, cause the processor circuits to perform operations in accordance with embodiments disclosed herein. For example, client device 150 includes processor circuit 151 and memory circuit 152; and development server 100 includes processor circuit 111 and memory circuit 112.
[0026] Development server 100 includes a plurality of containers 101-1, 101-2, and 101-3 (collectively referred to hereinafter as containers 101). Containers 101 include data structures associated with Applications 120-1 (Application A), 120-2 (Application B), and 120-3 (Application C), generically referred to hereinafter as application 120. Containers 101 include data structures that are manipulated by processor circuit 111 upon request by client device 150. The specific correlation between containers 101 and Applications 120-1, 120-2, and 120-3 may not be one-to- one. For example, FIG. 1 illustrates Application A associated with containers 101-1 and 101-2, Application B associated with container 101-3, and Application C also associated with container 101-3. Containers 101 may be shared by multiple applications and multiple client devices. One of skill in the art will recognize that the specific number of containers 101 and applications in development server 100 is not limiting of embodiments consistent with the present disclosure. In other words, any number of applications and containers 101 may be included in development server 100. Furthermore, the number of applications 120 may be different from the number of containers 101.
[0027] Client device 150 includes an application 120 and a daemon 190. Application 120 may be any type of network-based executable software code, including any one of applications 120-1, 120-2, and 120-3. Daemon 190 may include an independent operating system process generated by applications executing on the client device. In some embodiments, single sign-on configuration 10 involves implementing the daemon 190 on each of the client computing devices to interact with development server 100.
[0028] Accordingly, in some embodiments, development server 100 receives a request from client device 150 to create or lookup a given user identifier (ID) 185. Development server 100 then determines whether a user handling client device 150 is already registered with development server 100. If the user is not registered, then development server 100 creates user ID 185 associated with a Destination Signaling ID (DSID) 192. Client device 150 including DSID 191 may be associated with an authentication token 192. Authorization token 191 may be an encrypted code such as a password so that server 100 securely identifies client device 150. In some embodiments, authentication token 192 may also be associated to application 120. In that regard, when the user handling client device 150 taps on application 120, application 120 may prompt the user to enter authentication token 192. Development server 100 then returns user ID 185 associated with DSID 191 and authorization token 191 scoped to a container in the development server. DSID 191 may be an identifier for a client device, and authentication token 192 may be a password or some other encrypted code associated with DSID 191 and the application name. For example, a given application may have a password for access by a user handling the client device.
[0029] FIG. 2 illustrates a block diagram of a client device 150 adapted for single sign-on configuration 10, according to some embodiments. Client device 150 includes application 120, daemon 190, processor circuit 151, and memory circuit 152. In some embodiments, application 120 further includes an application name 271 and a container name 272 that client device 150 provides daemon 190 to use in single sign- on configuration 10. Daemon 190 includes DSID 191 and authentication token 191, as discussed above. In some embodiments, authentication token 192 is provided to daemon 190 by the user, through a password or some other code, signature, or biometric measure.
[0030] According to some embodiments, daemon 190 provides DSID 191 , authorization token 192, and application name 271 to development server 100. Daemon 190 may receive user ID 185 from development server 100 to execute application 120 in client device 150. Daemon 190 may transmit requests from development server 100 to client device 150 during execution of application 120. Such requests may be related to security procedures and maintenance operations by development server 100.
[0031] Client device 150 may be a portable electronic device such as a laptop or a tablet computer, a handheld electronic device such as a smart phone or any other cellular phone. In some embodiments, client device 150 may be a web site located in a network server operated by the client. Further, in some embodiments client device 150 may be a website located in a network server operated by a third party vendor, and a user of application 120 logs in to the website.
[0032] FIG. 3 illustrates a block diagram of a container 101 in development server 100 adapted for single sign-on configuration 10, according to some embodiments. Container 101 may include a table 300 having lines associating each of a plurality of DSIDs 191-1 through 191-n and each of a plurality of authentication tokens 192-1 through 192-n, with a plurality of user IDs 185-1 through 185-n. The value 'n' can be any number of lines in table 300, as one of ordinary skill will recognize.
[0033] In some embodiments of single sign-on configuration 10, development server 100 receives a request including application name 271 from client device 150. Then, development server 100 identifies any one of containers 101 (cf. FIG. 1) associated with application name 271. Development server 100 then determines whether there is an association (mapping) between DSID 191 and a user ID 185 in the identified container. If no association exists between DSID 191 and a user ID 185, then development server 100 creates user ID 185. Development server then adds a line to table 300 in the container. The line associates the newly created user ID 185 and DSID 192 of client device 150 requesting access to application 120. Accordingly, development server 100 returns newly created user ID 185 and authentication token 192 to client device 150. If there is an association between DSID 191 and user ID 185 in table 300, then development server 100 returns existing user ID 185 and authentication token 192 to client device 150. Thus, embodiments consistent with the present disclosure enable network-based software applications to be executed from client device 150 using a single sign-on procedure while protecting user privacy. For example, client device 150 may sign-on to development server 100 only once and be ready to execute a plurality of applications 120. Since table 300, including user IDs 185 associated with DSIDs 191 and authentication tokens 192, is stored in a container in the development server, a smooth and secure operation is obtained.
[0034] FIG. 4 illustrates a block diagram of a client device 150 and a container 101 in an address book discovery configuration 400, according to some embodiments. Client device 150 includes application 120, daemon 190, processor circuit 151, and memory circuit 152, as described in detail above (cf. FIGS. 1- 3). Client device 150 may also include an address book 450. In some embodiments address book 450 may be stored in memory circuit 152. Accordingly, address book 450 includes a plurality of names 451 (names 1 through k). Associated with each of the plurality of names 451, address book 450 includes a plurality of lists 452 (lists 1 through k). Lists 452 include personal information for each name 451. In some embodiments, names 451 correspond to users subscribed to application 120. Further according to some embodiments, names 451 may correspond to users subscribed to an application contained in development server 100. Personal information 452 may include a user e- mail, a user phone number, address, mailing address, and other personal information associated with the name. Address book discovery configuration 400 may include a map 402 in container 101. Map 402 includes a list of user IDs 185-1 through 185-m. Each of user IDs 185-1 through 185-m is associated with a user personal information 410- through 410-m. User personal information 410 includes a user e-mail 420, a user phone no. 430, and any other personal information associated with user ID 185.
[0035] In some embodiments of address book discovery configuration 400, developer server 100 provides a prompt 401 to client device 150 to allow discovery of address book 450. Upon acceptance by the user handling client device 150, developer server 100 may perform a discovery of address book 450. The discovery may include searching for matches between entries in address book 450 with any of the entries in map 402 or in table 300 in container 101. For example, a match between a name 451 and a user ID 185 in table 300 (cf. FIG. 3) may be found during discovery. Accordingly, server 100 searches for matches in address book 450 with maps 400 and tables 300 in a plurality of containers 101. For example, some embodiments of an address book discovery configuration include search for matches of address book 450 in containers 101 not necessarily associated with application 120.
[0036] FIG. 5 illustrates a flow chart including steps in a method 500 for single sign-on configuration, according to some embodiments. A single sign-on configuration as illustrated in FIG. 5 may include a development server coupled to a client device through a network link (e.g., single sign-on configuration 10, development server 100, and client device 150, cf. FIG. 1 above). The client device may be executing a network-based software application (e.g., application 120, cf. FIG. 1). Steps in method 500 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 500 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1).
[0037] Step 510 includes receiving a first request for a first user identifier (e.g., user ID 185). The request may be provided by a server upon a user attempt to execute the network-based software application. Step 520 includes sending a second request for the first user identifier to a server (e.g., the developer server). For example, in some embodiments the request may be generated by a second network-based software application executed by the user handling the client device. In some embodiments step 520 may include providing the server a DSID an authentication token (e.g., DSID 191 and authentication token 192, cf. FIG. 1). Step 530 includes receiving from the server the first user identifier and the authentication token (e.g., user ID 185, and authentication token 192, cf. FIG. 1). According to some embodiments, steps 520 and 530 may be partially or totally performed by a daemon in the client device (e.g., daemon 190, cf. FIG. 1). Step 540 includes providing the first user identifier and the first authentication token to the application. Accordingly, in some embodiments step 540 is performed by the daemon in the client device.
[0038] FIG. 6 illustrates a flow chart including steps in a method 600 for single sign-on configuration including multiple user identifiers, according to some embodiments. A single sign-on configuration as illustrated in FIG. 6 may include a development server coupled to a client device through a network link (e.g., single sign-on configuration 10, development server 100, and client device 150, cf. FIG. 1 above). The client device may be executing a network-based software application (e.g., application 120, cf. FIG. 1). Steps in method 600 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 600 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1).
[0039] Step 610 may include receiving from the application a request for one or more user IDs (e.g., user ID 185, cf. FIG. 1). Step 620 may include sending to a server (e.g., the development server) the request for one or more user IDs from step 610. Step 630 may include receiving from the server one or more user IDs. Accordingly, in some embodiments steps 610 through 630 are performed partially or totally by the development server coupled to a daemon process in the client device daemon 190, cf. FIG. 1).
[0040] FIG. 7 illustrates a flow chart including steps in a method 700 for discovering address books in network-based software applications, according to some embodiments. Method 700 may include a development server coupled to a client device through a network link (e.g., development server 100, and client device 150, cf. FIG. 1 above). Steps in method 700 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 700 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1).
[0041] Step 710 includes querying an address book in the client device. In some embodiments, step 710 may include providing a prompt requesting an address book query from a user handling the client device, by the server (e.g., prompt 401, cf. FIG. 4). Step 720 includes providing the address book to a server. Step 730 includes selecting vetted addresses from the server. Accordingly, step 730 may include comparing addresses in the address book with addresses in a container stored in the server (e.g., one of containers 101, cf. FIG. 1). A vetted address may be an address of a registered user included in the container. Step 740 includes querying user IDs for e- mail and phone numbers in the address book. Step 750 includes providing a contact- to-user ID mapping to the client device. Accordingly, step 750 may include creating a map in the container, or adding a line to an already existing map in the container (e.g., map 402, cf. FIG. 4). [0042] FIG. 8 illustrates a flow chart including steps in a method 800 for discovering address books in network-based software applications, including receiving information selected from an address book, according to some embodiments. Method 800 may include a development server coupled to a client device through a network link (e.g., development server 100, and client device 150, cf. FIG. 1 above). The address book in method 800 may be stored in the client device (e.g., address book 450, cf. FIG. 4). The client device may be executing a network- based software application (e.g., application 120, cf. FIG. 1). Steps in method 800 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 800 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1). Furthermore, steps in method 800 may be performed by a daemon process coupling the client device with the server through a network link (e.g., daemon 190 and link 181, cf. FIG. 1).
[0043] Step 810 includes receiving from the application contact information that can be used to identify one or more users. Accordingly, step 810 may include personal information retrieved from the address book in the client device (e.g., personal information 452, FIG. 4). Step 820 includes receiving from the application a request for one or more user identifiers. The one or more user identifiers may be associated with one or more network-based software applications being executed by one or more client devices. Step 830 includes sending to a server (e.g., development server 100) the contact information and the request for the one or more user identifiers. Step 840 includes receiving from the server one or more user identifiers that reference on or more users. For example, in some embodiments a single user handling a client device may be associated with one or more user identifiers for one or more applications. Step 850 includes receiving from the server a correlation between a user identifier and a user. Accordingly, step 850 may include receiving a map from the server (e.g., map 402, cf. FIG. 4). Step 860 includes providing to the application a user identifier and a correlation between a user identifier and a user. Accordingly, step 860 may be performed by the daemon interacting with the network-based software application in the client device. [0044] FIG. 9 illustrates a flow chart including steps in a method 900 for discovering address books in network-based software applications, according to some embodiments. Method 900 may include a development server coupled to a client device through a network link (e.g., development server 100, and client device 150, cf. FIG. 1 above). The address book in method 900 may be stored in the client device (e.g., address book 450, cf. FIG. 4). Steps in method 900 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 900 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1). Steps in method 900 may be performed by the server interacting with a daemon process running in the client device (daemon 190, cf. FIG. 1).
[0045] Step 910 includes requesting user IDs and an address book to the client device. Step 920 includes querying an address book in the client device. Step 920 may include searching in the address book for names that may be stored in a container included in the server (e.g., names 450 and container 101, cf. FIG. 4). Step 930 includes receiving the address book in the server (e.g., the development server). Accordingly, step 930 may include receiving the entire address book from the client device. In some embodiments step 930 includes receiving in the server only the portions of the address book that have a match between a name in the address book and a name stored in the container. Step 940 includes mapping contacts to network- based software applications scoped to the user IDs. Accordingly, step 940 may include adding lines in a map included in a container. The added lines may include user e-mail values and user phone number values retrieved from the address book (e.g., user e-mails 420 and user phone nos. 430, cf. FIG. 4). Step 950 includes providing the application scoped user IDs to a user registered in the server. Accordingly, the user registered in the server may be a different user than the user handling the client device from which the address book has been queried.
[0046] FIG. 10 illustrates a flow chart including steps in a method 1000 for discovering address books in network-based software applications, including discovering users with given addresses, according to some embodiments. Method 1000 may include a development server coupled to a client device through a network link (e.g., development server 100, and client device 150, cf. FIG. 1 above). Address books in method 1000 may be stored in the client device (e.g., address book 450, cf. FIG. 4). Steps in method 1000 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 1000 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1). Steps in method 900 may be performed by the server interacting with a daemon process running in the client device (daemon 190, cf. FIG.
1).
[0047] Step 1010 includes retrieving an address book from a user registered to a server. Step 1020 includes discovering users with given addresses in the address book. For example, step 1020 may include finding a match for a known address stored in a container included in the server with an address in the address book included in the client device. Step 1030 includes receiving an address book in the server. Accordingly, step 1030 may include receiving the entire address book from the client device. In some embodiments step 1030 includes receiving in the server only the portions of the address book that have a match between an address in the address book and an address stored in a container (e.g., container 101, cf. FIG. 4). Step 1040 includes mapping contacts to network-based software applications scoped to the user IDs. Accordingly, step 1040 may include associating a user ID and user personal information in a map (e.g., map 402) with a plurality of applications included in the container. Step 1050 includes providing the scoped user IDs to a user registered in the server. Accordingly, the user registered in the server may be a different user than the user handling the client device from which the address book has been queried.
[0048] FIG. 11 illustrates a flow chart including steps in a method 1100 for creating e-mail user lists, according to some embodiments. Method 1100 may include a development server coupled to a client device through a network link (e.g., development server 100, client device 150, and network link 181, cf. FIG. 1 above). Steps in method 1100 may be performed partially or completely by a processor circuit in the development server, where the processor circuit executes commands stored in a memory circuit (e.g., processor circuit 111 and memory circuit 112, cf. FIG. 1). In some embodiments, steps in method 1100 may be performed partially or completely by a processor circuit in the client device, the processor circuit executing commands stored in a memory circuit (e.g., processor circuit 151, and memory circuit 152, cf. FIG. 1).
[0049] Step 1110 includes requesting user permission for discovery scope in an address book. The address book in method 1100 may be stored in the client device (e.g., address book 450, cf. FIG. 4). If the user does not accept in step 1120, then step 1125 includes making the address book not discoverable. If the user accepts in step 1120, step 1130 includes making the address book discoverable. For example, step 1130 may include providing a daemon in the client device with a configuration that allows the server to perform a method such as methods 700, 800, and 900, above. Step 1140 determines if the user accepts e-mails from the server. If the user rejects e- mails from the server, step 1145 includes removing the user from an e-mail list. If the user accepts e-mails from the server, step 1150 includes adding the user to the e-mail list. Step 1160 includes receiving a user interface from the server (e.g., developer server 100) to generate e-mails. Step 1170 includes providing the server a center to send e-mails to users in the e-mail list. Step 1180 includes allowing users to toggle discoverability settings and e-mail alert settings. In some embodiments, the toggles may be grouped according to a plurality of containers in the server (e.g., containers 101, cf. FIG. 1).
[0050] The various aspects, embodiments, implementations or features of the described embodiments can be used separately or in any combination. Various aspects of the described embodiments can be implemented by software, hardware or a combination of hardware and software. The described embodiments can also be embodied as computer readable code on a computer readable medium for controlling manufacturing operations or as computer readable code on a computer readable medium for controlling a manufacturing line. The computer readable medium is any data storage device that can store data which can thereafter be read by a computer system. Examples of the computer readable medium include read-only memory, random-access memory, CD-ROMs, HDDs, DVDs, magnetic tape, and optical data storage devices. The computer readable medium can also be distributed over network-coupled computer systems so that the computer readable code is stored and executed in a distributed fashion. [0051] The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the described embodiments. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the described embodiments. Thus, the foregoing descriptions of specific embodiments are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the described embodiments to the precise forms disclosed. It will be apparent to one of ordinary skill in the art that many modifications and variations are possible in view of the above teachings.

Claims

What is claimed is:
1. A method for enabling applications to reference user information, the method comprising:
receiving, from an application, a first request for a first user identifier that references a user of the application;
sending a second request for the first user identifier to a server, the second request including:
a second user identifier that references the user, and
a second authentication token for the second user identifier, wherein the second user identifier and the second authentication token are not accessible by the user; receiving, from the server, the first user identifier and a first authentication token for the first user identifier, wherein the first user identifier corresponds to the second identifier; and
providing the first user identifier and the first authentication token to the
application.
2. The method of claim 1 , wherein the second request further includes a container identifier that identifies a container associated with the application, and the first user identifier is accessible by applications when the applications are associated with the container.
3. The method of claim 1, further comprising:
receiving, at the server from a computing device, the second request, including the second user identifier and the second authentication token;
determining whether an association exists between the second user identifier and an application-accessible user identifier; and
sending the application-accessible user identifier and an associated
application-accessible authentication token to the computing device, wherein the first user identifier is the application-accessible user identifier.
4. The method of claim 3, wherein:
receiving the second request includes receiving a container identifier that identifies a container associated with the application, and identifying a container association with the container identifier; and determining whether an association exists further comprises determining whether an association exists between the container identifier and the second user identifier, wherein the first user identifier is accessible by applications associated with the container when the association exists.
5. The method of claim 3, further comprising:
in response to determining that an association does not exist between the second user identifier and an application-accessible user identifier: generating a new application-accessible user identifier, and creating an association between the second user identifier and the new application-accessible user identifier.
6. The method of claim 5, wherein the association is represented by a mapping table, and creating an association between the second user identifier and the new application-accessible user identifier comprises creating an entry in the mapping table that maps the second user identifier to the new application-accessible user identifier.
7. The method of claim 3, wherein the association is represented by a mapping table, and determining whether an association exists between the second user identifier and an application-accessible user identifier comprises searching the mapping table for an entry that includes the second user identifier.
8. The method of claim 1 , wherein the authentication token can be used to verify an identity of the user.
9. A method for enabling an application to identify one or more users associated with a first user of the application, the method comprising:
receiving, from an application, contact information that can be used to identify one or more users;
receiving, from the application, a request for one or more user identifiers that reference the one or more users;
sending, to a server, the contact information and the request for one or more user identifiers that reference the one or more users;
receiving, from the server, the one or more user identifiers that reference one or more users, and a correlation between the one or more user identifiers and the one or more users; and
providing the one or more user identifiers and the correlation between the one or more user identifiers and the one or more users to the application.
10. The method of claim 9, wherein the contact information comprises a list of email addresses associated with the one or more users, and the correlation between the one or more user identifiers and the one or more users includes a mapping between the one or more user identifiers and email addresses in the list of email addresses that correspond to the one or more user identifiers.
11. A method of enabling an application to identify one or more users associated with a first user of the application, the method comprising:
receiving, from an application, a request for one or more user identifiers that reference one or more users in a contact list associated with the first user, wherein the contact list is not accessible to the application;
sending, to a server, the request for one or more user identifiers that reference one or more users in the first user's contact list;
receiving, from the server, the one or more user identifiers that reference one or more users; and
providing the one or more user identifiers to the application.
12. The method of claim 11, further comprising sending, to the server, the first user's contact list.
13. A method for discovering address books in network-based software applications, the method comprising:
at a client device:
querying an address book in the client device;
providing the address book to a server;
selecting at least one vetted address from the server;
querying user identifiers (IDs) for e-mail and phone numbers in the address book; and
providing a contact-to-user ID mapping to the client device.
14. The method of claim 13, further comprising providing a prompt to a user handling the client device.
15. The method of claim 13, wherein selecting the at least one vetted address from the server comprises comparing addresses in the address book with addresses in a container that is stored in the server.
16. The method of claim 15, wherein selecting the at least one vetted address from the server comprises selecting an address of a registered user included in the container.
17. The method of claim 15, further comprising creating a map in the container.
18. The method of claim 17, wherein creating a map in the container comprises adding a line to an already existing map in the container, the line including a user ID associated with personal information, the personal information comprising a user e- mail and a user phone number.
19. A method for creating e-mail user lists, the method comprising:
issuing a request, to a user, for discovery scope in an address book;
making the address book discoverable;
adding the user to an e-mail list stored in a server; and
receiving a user interface from the server to generate e-mails.
20. The method of claim 19, further comprising allowing a user in the e-mail list to toggle discoverability settings and e-mail alert settings.
PCT/US2014/035030 2013-06-07 2014-04-22 Methods and systems for single sign-on while protecting user privacy WO2014197128A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/913,232 US9479490B2 (en) 2013-06-07 2013-06-07 Methods and systems for single sign-on while protecting user privacy
US13/913,232 2013-06-07

Publications (1)

Publication Number Publication Date
WO2014197128A1 true WO2014197128A1 (en) 2014-12-11

Family

ID=52006672

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/035030 WO2014197128A1 (en) 2013-06-07 2014-04-22 Methods and systems for single sign-on while protecting user privacy

Country Status (3)

Country Link
US (3) US9479490B2 (en)
TW (1) TWI521373B (en)
WO (1) WO2014197128A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899546A (en) * 2015-12-17 2017-06-27 阿里巴巴集团控股有限公司 The acquisition methods and device of user profile

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9479490B2 (en) 2013-06-07 2016-10-25 Apple Inc. Methods and systems for single sign-on while protecting user privacy
CN105592011B (en) * 2014-10-23 2019-12-24 阿里巴巴集团控股有限公司 Account login method and device
US10606622B1 (en) * 2016-06-30 2020-03-31 EMC IP Holding Company LLC Method and system for web application localization using hierarchical resolution
US11144620B2 (en) * 2018-06-26 2021-10-12 Counseling and Development, Inc. Systems and methods for establishing connections in a network following secure verification of interested parties
CN110008019B (en) * 2019-02-28 2021-06-08 张帅辰 Method, device and system for sharing server resources
CN110032855A (en) * 2019-02-28 2019-07-19 招银云创(深圳)信息技术有限公司 Login method, device, computer equipment and the storage medium of application
WO2021232347A1 (en) * 2020-05-21 2021-11-25 Citrix Systems, Inc. Cross device single sign-on

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001072009A2 (en) * 2000-03-17 2001-09-27 At & T Corp. Web-based single-sign-on authentication mechanism
US20040267870A1 (en) * 2003-06-26 2004-12-30 Rozmus John Michael Method of single sign-on emphasizing privacy and minimal user maintenance
US20050165698A1 (en) * 2002-05-25 2005-07-28 Cho Ku G. User authentication method and system using user's e-mail address and hardware information
US20060155993A1 (en) * 2003-02-21 2006-07-13 Axel Busboon Service provider anonymization in a single sign-on system
US20120159588A1 (en) * 2008-11-24 2012-06-21 Microsoft Corporation Distributed single sign on technologies including privacy protection and proactive updating

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7899173B2 (en) * 2000-07-14 2011-03-01 Context Connect, Llc Communication connectivity via context association, advertising sponsorship, and multiple contact databases
EP1618478A4 (en) 2003-03-13 2007-10-03 Drm Technologies L L C Secure streaming container
US7080104B2 (en) 2003-11-07 2006-07-18 Plaxo, Inc. Synchronization and merge engines
US8041745B2 (en) * 2005-09-15 2011-10-18 At&T Intellectual Property I, L.P. Methods for managing aggregated address books
CA2568096C (en) 2005-12-08 2008-07-29 Sxip Identity Corporation Networked identity framework
US7747540B2 (en) 2006-02-24 2010-06-29 Microsoft Corporation Account linking with privacy keys
US8078880B2 (en) 2006-07-28 2011-12-13 Microsoft Corporation Portable personal identity information
CN103152170A (en) 2007-09-14 2013-06-12 安全第一公司 Systems and methods for managing cryptographic keys
US9197417B2 (en) 2009-04-24 2015-11-24 Microsoft Technology Licensing, Llc Hosted application sandbox model
US9075663B2 (en) 2010-05-12 2015-07-07 Samsung Electronics Co., Ltd. Cloud-based web workers and storages
US8839395B2 (en) * 2011-05-13 2014-09-16 Cch Incorporated Single sign-on between applications
US9479490B2 (en) 2013-06-07 2016-10-25 Apple Inc. Methods and systems for single sign-on while protecting user privacy

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001072009A2 (en) * 2000-03-17 2001-09-27 At & T Corp. Web-based single-sign-on authentication mechanism
US20050165698A1 (en) * 2002-05-25 2005-07-28 Cho Ku G. User authentication method and system using user's e-mail address and hardware information
US20060155993A1 (en) * 2003-02-21 2006-07-13 Axel Busboon Service provider anonymization in a single sign-on system
US20040267870A1 (en) * 2003-06-26 2004-12-30 Rozmus John Michael Method of single sign-on emphasizing privacy and minimal user maintenance
US20120159588A1 (en) * 2008-11-24 2012-06-21 Microsoft Corporation Distributed single sign on technologies including privacy protection and proactive updating

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899546A (en) * 2015-12-17 2017-06-27 阿里巴巴集团控股有限公司 The acquisition methods and device of user profile
CN106899546B (en) * 2015-12-17 2021-05-07 阿里巴巴集团控股有限公司 User information acquisition method and device

Also Published As

Publication number Publication date
TW201506666A (en) 2015-02-16
US20140366110A1 (en) 2014-12-11
US9992188B2 (en) 2018-06-05
US20180359243A1 (en) 2018-12-13
US20170104747A1 (en) 2017-04-13
US9479490B2 (en) 2016-10-25
TWI521373B (en) 2016-02-11
US10693863B2 (en) 2020-06-23

Similar Documents

Publication Publication Date Title
US10693863B2 (en) Methods and systems for single sign-on while protecting user privacy
US10652226B2 (en) Securing communication over a network using dynamically assigned proxy servers
EP2933986B1 (en) Computer-implemented method and computer program product for processing named entity queries using a cached functionality in a domain name system
JP5375976B2 (en) Authentication method, authentication system, and authentication program
US20090013063A1 (en) Method for enabling internet access to information hosted on csd
US9736119B2 (en) Relay proxy providing secure connectivity in a controlled network environment
JP4820928B1 (en) Authentication system and authentication method
JP5466723B2 (en) Host providing system and communication control method
US10389693B2 (en) Keys for encrypted disk partitions
US20120240213A1 (en) Gateway device and method for using the same to prevent phishing attacks
US11949681B2 (en) Authentication and authorization for cloud file system
CN112352411B (en) Registration of the same domain with different cloud service networks
EP2429146B1 (en) Method and apparatus for authenticating access by a service
US9143510B2 (en) Secure identification of intranet network
US20210297411A1 (en) Satelite service for machine authentication in hybrid environments
US11722310B2 (en) Automatically discovering and securely identifying connected systems
CN117061140A (en) Penetration defense method and related device
JP2008287524A (en) Authentication method, authentication device, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14807307

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14807307

Country of ref document: EP

Kind code of ref document: A1